Occassional failed start for certbot.renew snap

From time to time I see this in our logs:

Dec 07 20:22:47 alice.hatters.org.uk systemd[1]: Failed to start Service for snap application certbot.renew.

In the letsencrypt log for that time, I see:

2025-12-07 20:22:47,047:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /acme/renewal-info/56ufDywzoFPTXk94yLKEDjvWkjM.BYARbiSbhHTv3y
9NJV5H3iH0 HTTP/1.1" 200 101
2025-12-07 20:22:47,048:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 07 Dec 2025 20:22:46 GMT
Content-Type: application/json
Content-Length: 101
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Retry-After: 21600
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "suggestedWindow": {
    "start": "2025-12-21T06:06:21Z",
    "end": "2025-12-23T01:17:10Z"
  }
}

I ran a certbot certbot renew --dry-run and there are a couple of dead domains, but that's expected. Is this just snap's way of saying some domains failed to renew? As far as I can tell everything else is OK.

Apache 2.4.52
Ubuntu 22.04.5 LTS
certbot 5.2.1

Maybe Certbot has some kind of failure but that looks more like a problem with snap or its timer. What do these show?

sudo systemctl status --no-pager -l snap.certbot.renew.timer

sudo systemctl list-timers --no-pager -l | grep certbot

The "Failed to start Service" is odd because you have a log with entries from the same time. Was there anything else in the Certbot log?

Thanks - here's what I've got:

$ sudo systemctl status --no-pager -l snap.certbot.renew.timer
● snap.certbot.renew.timer - Timer renew for snap application certbot.renew
     Loaded: loaded (/etc/systemd/system/snap.certbot.renew.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Thu 2025-12-04 02:56:01 GMT; 5 days ago
    Trigger: Tue 2025-12-09 20:20:00 GMT; 5h 13min left
   Triggers: ● snap.certbot.renew.service

$ sudo systemctl list-timers --no-pager -l | grep certbot
Tue 2025-12-09 20:20:00 GMT 5h 11min left      Tue 2025-12-09 01:26:01 GMT 13h ago       snap.certbot.renew.timer       snap.certbot.renew.service

The only other error-looking thing at that time was:

2025-12-07 20:22:47,049:INFO:certbot.ocsp:Cannot extract OCSP URI from /etc/letsencrypt/archive/www.stonehengecampaign.org.uk/cert58.pem

That is normal. Let's Encrypt certs no longer use OCSP (use CRL instead). Certbot supports other Certificate Authorities so the message might apply to those.

I should have had you check the service too.

sudo systemctl status --no-pager -l snap.certbot.renew.service
sudo journalctl -u certbot.renew

I am hoping to get more details on why it did not start when it apparently did.

Perhaps Certbot exits with a non-zero exit code because of your "dead domains". And, as you guessed, maybe that is the cause of this start failure log message. You had this kind of failure before although we saw messages describing the non-zero exit code: A question about certbot apt vs snap on Ubuntu - #6 by gilgongo

I am not expert with snap debugging these are just routine systemd checks. If no one else here has suggestions you might try the EFF's github for Certbot (here). Or, maybe even the Snapcraft support forum: https://forum.snapcraft.io/

AH yes, I'd forgotten all about that from a few years ago. Well spotted. The error may well be fine.

I guess I'm just paranoid

Well, the error about "Failed to start" is different than failed with exit-code as it did before.

So, there may be something different this time. Really not sure. You could cleanup your failing renewals and see if it continues. You should do that anyway

If you don't need certs use:

sudo certbot delete --cert-name X

Where X is the cert-name from: sudo certbot certificates

Just make sure no service references the cert files otherwise those may fail (Apache, mail systems, ...)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.